Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 19:24
Static task
static1
Behavioral task
behavioral1
Sample
Office 365 Smtp Checker by xLotus.exe
Resource
win10v2004-20240426-en
General
-
Target
Office 365 Smtp Checker by xLotus.exe
-
Size
1.7MB
-
MD5
28a0ae801847b00a6d9ab94eb4219960
-
SHA1
6af322147806d1a82472cc4d55d5acd1b79a5be9
-
SHA256
85bcedf925b9c4736e58be9585168b8bff41b5ad76d85a188b004967c023bd6c
-
SHA512
8d53673af698c0aa248ae19e718ca6ce7bd127d11e195c2ccec10f16dd161ac9b0cc879cd30c808fb29bbe57f715de0f15e81f687a2c525af8c27a426f2b84d7
-
SSDEEP
24576:nnDdfAtPrMkuLBVmAwmCyH2xujp2JN8cSPz10+2yoMTEmPZbS8Mig7yxN82+s+cw:nWM/P5P2xj3e12EwmPNS8Rtz11+Ug
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1232-8-0x0000000006900000-0x0000000006BCA000-memory.dmp family_agenttesla behavioral1/memory/1232-9-0x0000000006BD0000-0x0000000006DE4000-memory.dmp family_agenttesla -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1180 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Office 365 Smtp Checker by xLotus.exesvchost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation Office 365 Smtp Checker by xLotus.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ebe8ac4d453f424fb04983e03f7ffc9e.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ebe8ac4d453f424fb04983e03f7ffc9e.exe svchost.exe -
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 2208 svchost.exe 4568 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ebe8ac4d453f424fb04983e03f7ffc9e = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ebe8ac4d453f424fb04983e03f7ffc9e = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
Office 365 Smtp Checker by xLotus.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Office 365 Smtp Checker by xLotus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Office 365 Smtp Checker by xLotus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Office 365 Smtp Checker by xLotus.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
Office 365 Smtp Checker by xLotus.exesvchost.exedescription pid process Token: SeDebugPrivilege 1232 Office 365 Smtp Checker by xLotus.exe Token: SeDebugPrivilege 4568 svchost.exe Token: 33 4568 svchost.exe Token: SeIncBasePriorityPrivilege 4568 svchost.exe Token: 33 4568 svchost.exe Token: SeIncBasePriorityPrivilege 4568 svchost.exe Token: 33 4568 svchost.exe Token: SeIncBasePriorityPrivilege 4568 svchost.exe Token: 33 4568 svchost.exe Token: SeIncBasePriorityPrivilege 4568 svchost.exe Token: 33 4568 svchost.exe Token: SeIncBasePriorityPrivilege 4568 svchost.exe Token: 33 4568 svchost.exe Token: SeIncBasePriorityPrivilege 4568 svchost.exe Token: 33 4568 svchost.exe Token: SeIncBasePriorityPrivilege 4568 svchost.exe Token: 33 4568 svchost.exe Token: SeIncBasePriorityPrivilege 4568 svchost.exe Token: 33 4568 svchost.exe Token: SeIncBasePriorityPrivilege 4568 svchost.exe Token: 33 4568 svchost.exe Token: SeIncBasePriorityPrivilege 4568 svchost.exe Token: 33 4568 svchost.exe Token: SeIncBasePriorityPrivilege 4568 svchost.exe Token: 33 4568 svchost.exe Token: SeIncBasePriorityPrivilege 4568 svchost.exe Token: 33 4568 svchost.exe Token: SeIncBasePriorityPrivilege 4568 svchost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Office 365 Smtp Checker by xLotus.exesvchost.exesvchost.exedescription pid process target process PID 1232 wrote to memory of 2208 1232 Office 365 Smtp Checker by xLotus.exe svchost.exe PID 1232 wrote to memory of 2208 1232 Office 365 Smtp Checker by xLotus.exe svchost.exe PID 1232 wrote to memory of 2208 1232 Office 365 Smtp Checker by xLotus.exe svchost.exe PID 2208 wrote to memory of 4568 2208 svchost.exe svchost.exe PID 2208 wrote to memory of 4568 2208 svchost.exe svchost.exe PID 2208 wrote to memory of 4568 2208 svchost.exe svchost.exe PID 4568 wrote to memory of 1180 4568 svchost.exe netsh.exe PID 4568 wrote to memory of 1180 4568 svchost.exe netsh.exe PID 4568 wrote to memory of 1180 4568 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Office 365 Smtp Checker by xLotus.exe"C:\Users\Admin\AppData\Local\Temp\Office 365 Smtp Checker by xLotus.exe"1⤵
- Checks computer location settings
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Users\Admin\AppData\Roaming\Microsoft Corp\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft Corp\svchost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:1180
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD571ef183a5a18725806fa656974d49929
SHA1deebe1b2c77f1a9bfd6248f7c47a93e662680558
SHA25668f78f7959a3f8eb3dff29f579125c80e9f0893ce571eb720304d2d7a881cf3c
SHA512abed2549cf3d13e50310b253097a3f9f68cded4465e72d2100301a773105c27b5d5c88913c63a27b6d34e2dea7b546d4c39d95a9c318daf1727c36aced241ac2